When my main blog is down, this is up.

privacy

Post navigation

The Silent Writing Collective is all about the process of writing, not about the word count or subsequently publishing it elsewhere. Still, I wrote almost 2,000 words in an hour and felt what I produced was decent enough to post here (unedited, but with formatting improvements).

Ever since the revelations about the National Security Agency in the US hit a few months ago, I’ve been meaning to write about them. Ostensibly, I should be in a position to give some guidance. I usually know enough, conceptually speaking, about privacy and security to be able to give advice to others.

This time, however, things are different. There’s nothing much you can really do when a large, powerful country like the USA decide to wield its power in an undemocratic way. Not only have they got access to a bewildering array of technological innovations, but they’re doing so in a secret way. Just check out the statement on Lavabit’s front page:

I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on–the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.

Lavabit was the encrypted email service used by NSA whistleblower Edward Snowden. Reading between the lines, it appears that the NSA wanted Lavabit to give them access to at least his email account, if not unfettered access to *everyone’s* account. This mixture of absolute power and secrecy is extremely worrying. Not only does it mean they are beyond the control of ‘the people’ in any jurisdiction, but I’m left wondering what kind of advice it’s even worth giving out.

I try to walk the walk in my technological life. I don’t recommend people use things that I don’t use myself. While others I’ve seen on Twitter, Hacker News and other online spaces have attempted to lock things down, I’ve felt a bit powerless. On the one hand, I too want to lock things down. While there’s no clear and present data of me being locked up for anything, I’m not a big fan of some bored NSA employee being able to find out more about me than even I know about myself.

Absolute power corrupts absolutely. We know that. But the response to the revelations amongst the general public so far seems to be ‘meh’. Some have used the classic response of ‘if you’re doing nothing wrong you’ve got nothing to fear’. This is so wrong-headed it’s unbelievable. We all break laws every day – even though the laws of the UK are finally online. If someone has access and can dig through everything you do then of course they’ll find something incriminating. It’s so close to an Orwellian nightmare it’s untrue.

I already overshare on the Internet, it’s true. But that’s both a tactic and an expression of who I am. I believe in my right to free and openly express who I am – and more importantly, how I want to be seen – to the world at large. The thing that concerns me is that I don’t really know where the NSA’s knowledge of me and my actions starts and stops. Apparently they have the ability to eavesdrop on conversations by firing a laser beam at a plastic cup in the same room as their target. Or even a window. There’s a reason why we put curtains on our windows. The spaces in which we know we’re alone (or alone with significant others) are important for self-development and, dare I say it human flourishing.

So what have I done in response to the NSA revelations? Not much, really. I’ve talked a good game and explored various options. I’ve kept up with the news and various articles linked to from Hacker News and The Guardian. But I haven’t actually done much. Part of that is because I don’t want to take the hit on my productivity – many of the ‘more secure’ replacements aren’t as slick or frictionless – but partly for another reason: I don’t feel like my weaponry against governments should be extreme crypto. I feel that it should be democratic processes. If someone or some organisation is abusing it’s power, then the people should have some recourse against them. Even if it’s a different sovereign country, the people of my country should be able to put pressure on them to do something about it.

Some of the things I’ve considered doing include switching from running Mac OS X on my (or rather, Mozilla’s) MacBook Pro to a variant of Linux. The MacBook the machine I use most of the time. Only rarely – like now, actually, as I’m writing this – will I use a ThinkPad X61 running Chromium OS. I’ve tried to use Linux as my main operating system since 1997 when, as a 16 year-old, I bought a book on Red Hat Linux to try and get my head around it. I kind of know my way around some of the commands, but it greatly frustrates me when updates break really important things such as wireless networking. Macs just work in a way I hadn’t experienced before using them. I suppose this ‘Chromiumbook’ isn’t bad, but I just feel that everything I write is fuelling Google’s ad dollars.

I think there’s nothing much we can do from a technological point of view as individual users versus the might of the NSA. Indeed, it might make matters worse as apparently their default filter for ‘is this person dangerous?’ is ‘if they use encryption, yes’. That, of course, makes them not even worth parodying, but does make me want to throw my hands in the air. Instead, though, what I think it’s important to do is to think about security and privacy more generally. What is it that we want to be secure? Who do we want to protect our privacy from?

I’m only speaking for myself here, but I think it might be more widely applicable:

I don’t want to be the victim of identity theft.

I want to be able to surf the Web anonymously if what I’m looking at/for could potentially compromise me personally or professionally.

While I’ve pretty much given up on email ever being secure, I want other communications to be locked down and visible to others only if at least one of the parties involved wants this to be the case.

I want to be able to craft multiple, discrete pseudo-anonymous personas without being forced to reveal the connections between them.

I suppose, overall, I don’t want to be watched or feel that I’m being watched. This might seem odd coming from someone who seemingly tweets and otherwise shares a fair bit of detail from my life. The difference is that it’s under my control. You’re seeing glimpses into my life through the filter or lens that I choose to put on it. That’s autonomy. That’s freedom.

So I am going to make some changes, but I’m not going to go nuts. I’ll keep doing what I can to put pressure on the UK and US governments to do something about the NSA over-reaching. I’ll keep up to date and support organisations like the Electronic Frontier Foundation who campaign on our behalf (their Who’s Got Your Back 2013 is well worth a read). I’m going to see what’s available in terms of other services that may offer more privacy and security. But, instead of automatically jumping ship, I’ll attempt to weigh the productivity cost. If it doesn’t seem to be worth it, then I won’t do it.

For all I’ve written above about how important I see security and privacy, I’ve come to expect that the technological tools I use afford me a certain level of fluency and productivity. My job and professional reputation indirectly (and at times, directly) depend upon this. I suppose there’s a heavily performative notion in there: I have to not only be productive but be seen to be productive (at least in the construct that’s in my head).

Also, it’s important to have at least a connection to ‘the (wo)man on the street’. As soon as you look like, or come across as, a special case then people stop paying attention to you. I’ve experienced some of that because I wrote my doctoral thesis on digital literacies and/or because I now work for Mozilla. “It’s easy for you to say,” people exclaim. Well, it’s not actually. It’s difficult and tortuous and philosophically problematic. I spend far too long thinking about this kind of stuff.

What I think is important is that we build a bridge between those who think the NSA revelations show that western governments somehow have “got our back” and those who, in the words of Marc Scott, have glued a tinfoil hat to their heads. It’s important not to talk past one another on issues like these. After all, these aren’t issues around cryptography or terrorism but around freedom, liberty and the pursuit of happiness, writ large.

The thing that concerns me to the point of lying awake thinking at night is the world that my six year-old son and two year-old daughter will inhabit. My formative years were spent growing up with the Web in its Wild West, frontier town-feel years. Being able to put up a website (in my case, as a sixteen year old, one about Monty Python) and have it accessible anywhere in the world was mind-blowing. But it wasn’t just that. It was the fact that people could connect with one another without boundaries relating to power, geography, class or skin colour.

That’s the Web we’ve lost – it’s well worth reading Anil Dash for more on that. The networked world that my children will inhabit (unless we do something about it) will constrain instead of liberate. It will be something to fear instead of something to embrace. And that greatly saddens me.

So beyond making relevant changes to my own personal setup I suppose I’ve got a responsibility to educate those around me. First, I need to scare them into taking privacy and security seriously. But then, second, I need to show them what appropriate steps look like to protect that. And if, as in the case of the NSA, appropriate steps on a personal level aren’t enough, then I need to encourage them to take appropriate (collective) political action.

I hope this goes some way to explaining why I haven’t got a 10 step guide on what to do to change your hardware/software setup to be NSA-proof. You can’t be. But you, we together can agitate for a better world. That’s not to say we should be complacent about our technological setups. Not at all. Now, more than ever, is a great time to review the information and details that may be unintentionally leaking out to the wider world without your knowledge.

In conclusion, then, I’ll not be breaking out my tinfoil hat anytime soon. And I’ll not be locking down my machines to a ridiculous extent. I’ll be trying out new operating systems, software and even hardware, but still want to be able to use someone else’s machine without huge amounts of hassle. And I need, especially for work reasons, to be able to communicate with others without being some kind of ‘special case’ that other people have to tolerate or, more likely, avoid.

The Internet on my laptop runs really slowly and it’s quite difficult to see sites because of all the toolbars that take up half of the screen. Also when I load the Internet I get annoyed by all the pop-ups that suddenly appear for adult dating sites and on-line gambling. I used to get lots of annoying messages on the Internet about things like ActiveX, but a friend showed me how to change my security settings so they don’t come any more.

Class.

I am not Richard Stallman

I occasionally use X11 for tasks that need graphics, but mostly I use a text console. I find that the text console is more efficient and convenient for the bulk of the work I do, which is editing text.

and:

I generally do not connect to web sites from my own machine, aside from a few sites I have some special relationship with. I fetch web pages from other sites by sending mail to a program (see git://git.gnu.org/womb/hacks.git) that fetches them, much like wget, and then mails them back to me. Then I look at them using a web browser, unless it is easy to see the text in the HTML page directly. I usually try lynx first, then a graphical browser if the page needs it.

That’s as close to tinfoil hat-wearing as it actually gets.

The Moral

As Seth Godin often says, we need to surround ourself (intellectually, if we can’t physically) with outliers in order to challenge our thinking:

The crowd has more influence on us than we have on the crowd. It’s not an accident that breakthroughs in music, architecture, software, athletics, fashion and cuisine come in bunches, often geographic. If you need to move, move. At least change how and where you exchange your electrons and your ideas.

After all, as they say, bad habits are like a comfortable bed: easy to get into but hard to get out of.

There’s a political theory called the Overton window that is used to describe the narrow range of ideas that the public will accept. The degrees of acceptance goes like this:

Overton assigned a spectrum of “more free” and “less free”, with regard to government intervention, oriented vertically on an axis. When the window moves or expands along this axis, an idea at a given location may become more or less politically acceptable as the window moves relative to it. The degrees of acceptance[4] of public ideas can be described roughly as:

Unthinkable

Radical

Acceptable

Sensible

Popular

Policy

So at the start of the year, before the NSA revelations, it would be Unthinkable for an ‘ordinary’ person to adopt anything close to Stallman’s approach. Now, however, it’s at least Radical if not Acceptable or Sensible.

Conclusion

I’m not suggesting that we crypto everything or become paranoid to the extent that it consumes us. What I am suggesting (and what I’m doing myself) is to review the connected technologies and services I’m using. If you want to do something similar then I highly recommend you check out the Electronic Frontier Foundation’s Who Has Your Back? 2013 and, if you’ve never used Linux before, give elementaryOS a spin.* It’ll probably be an upgrade from what you’re using.

Like everyone else, I’m shocked yet not really surprised at the revelations that the US National Security Agency (NSA) have access to, well, basically anything they want. Since the news broke, I’ve been thinking about what would constitute an appropriate response.

I could, for example, attempt to lock down everything in an attempt to prevent the NSA spying on me. But, to be quite honest, this isn’t really an option: I haven’t got the skills to do so. It would also make my life significantly less enjoyable.

So, stepping back for a moment, I’ve been thinking about who I should be worried about. The current concerns seem to be directed at the US government for having access to people’s data. Now, while I don’t for one second like the fact that my data can (and possibly is being) triangulated, at least the ostensible aim of the NSA’s snooping is to protect people and save lives. Meanwhile, the aim of those allegedly involved in PRISM – companies like Facebook, Google and Microsoft – is to maximise shareholder value. Remember, it’s data these companies collected about their users that the US government deems important enough – and extensive enough – to capture.

In a democracy, we can do something about governments: we can replace them by means of elections. But where’s our recourse with private companies? Where are their checks and balances? While it would be easy to argue that we can replace services provided by Company X by those with Company Y, the problem comes with scale and cultural norms. I could (and probably should), for example, decide to swear off Facebook, Google+ and Twitter as they are private public spaces. But not only is there no viable alternative that respects my privacy, I would be a social outcast.

We need more transparent government, certainly. We need to resist secret laws that infringe our privacy to satisfy politicians’ whims and fancies. But it’s also important to keep some perspective here. We are all complicit. We voluntarily give up our privacy to get discounts and deals at supermarkets. We submit to tracking and data mining for the sake of shiny services. Every day we choose (or willingly allow) the sharing of our personal information with companies who host it on servers we do not control.

In my opinion, the best thing we can do in the wake of these revelations is to be more intentional about where we put our data. If we’re making a trade-off between ease-of-use (and shininess) and privacy, then we should be mindful of that. We should realise that we’re involved in a compromise. At the end of the day, it’s not about breaking out the tinfoil hat, it’s about being an informed, responsible, and literate citizen – whatever your position on the privacy spectrum.

I’m fortunate to work for Mozilla, a non-profit that doesn’t track people and, indeed, builds tools for users to be able to track the trackers. If you’d like to see who’s tracking you online, check out Collusion.

An article by Michael Erard has been doing the rounds recently. Entitled What I Didn’t Write About When I Wrote About Quitting Facebook, it simultaneously pokes fun at the growing genre of ‘social media exile essay’ whilst raising an interesting issue about the ways in which social networks mediate relationships. Erard concludes (my emphasis):

In the standard Social Media Exile essay, one doesn’t mention or announce when one returns to blogging or Twitter. For each platform or network one leaves, there’s another one to return to. Sometimes they’re the same. So I’m going to close this piece by breaking that convention and mentioning how easy it turns out to be to reactivate Facebook. When you sign back in, all your stuff is there, as if you’d never left. It’s like coming back to your country after a month in a foreign land, and it makes one feel that the whole reason for leaving is to make the place seem strange again. Being away from Facebook was certainly that. But I had to come back. That’s where all the people are. I’ve got a book coming out, and I need to let my friends know. Anyway, you know where to find me and what to talk about when you do. I’ll have some cookies baked.

Let’s cut to the chase: for better or worse, online, we currently act like brands. We can (and do) consider things like using a standardised avatar to increase recognition; we’re careful about what we say in certain kinds of company; we align ourselves with other brands (people, organizations, objects) to gain social capital. The trouble is that, in a similar way to a mall, we’re setting up shop on private property. We can be (and sometimes are) kicked out of spaces for violating lengthy, arcane user agreements written in legalese that few of us take the time to read. On various levels we control our digital identity, sometimes by self-censoring. This is problematic.

Some of us can play the game; Twitter and my online networks and reputation certainly helped me gain my last two jobs. But playing this game can be tiring. Each medium has its own vocabulary and syntax that one has to learn, as Erard demonstrates:

Instead of writing about any of this, once I was not on Facebook anymore, I found myself sending emails with some witty insights or photos of my baby, but it just wasn’t the same; a request for housing help for a friend via email got no responses.

Despite my impending Black Ops period, I’m actually not of the opinion that everything would just be alright if we all just got offline and talked to one another face-to-face. I remember reading recently that talking about the superficiality of social media is more than slightly disingenuous given the type of weather-related chat and insincere ‘how are you?’ questions that make up much of our offline interaction. There was no golden period of offline communication. Updating your Facebook status probably not time you would have otherwise spent in deep philosophical face-to-face conversation with your next-door neighbour.

But, nevertheless, there is a problem with online communication. Superficial conversations are (usually) neither recorded nor commodified in the ways they can be online. Erard again:

I hadn’t written about feeling like Facebook was a job. Like I was running on a digital hamster wheel. But a wheel that someone else has rigged up. And a wheel that’s actually a turbine that’s generating electricity for somebody else. That’s how I felt, which is what I should have written.

What we’re doing, in effect, is akin to renting houses when we should be buying them. The tools that commercial operations such Facebook, Twitter and Google+ give us are ‘free’ so we often don’t think through the issues clearly. Like a low-income people forced into dealing with a disreputable car dealers, we’re forced into hire-purchase with no real prospect of ownership.

Let’s run a quick thought experiment. Imagine Facebook started charging and, instead of a mass exodus, people (for whatever reason) kept using it. What would change? I think, for one, we’d question where our data was going and we’d want to get rid of the advertising. It’s been repeated so many times that it’s almost become a cliché, but if we’re not paying for something then we’re not customers. And if we’re not customers, we bring something to the marketplace that’s being sold on our behalf. We’re being tracked, packaged-up and sold to the highest bidder.

All this sounds alarmist, and it is, but all I’m trying to do is lift the veil a little. Discontent leads to a search for alternatives, so I suppose I’m trying to stoke the fires of discontent. We’re all in the same position: we need open, distributed social networks to avoid the above. But we’re in a Catch-22: no-one wants to make the first move to Identi.ca or Diaspora because it’s not social until all your friends are there, right?

Introduction

We just love our unelected leaders in the UK. Not only did Gordon Brown get to become Prime Minister without being elected to the position, but Peter (now ‘Lord’) Mandelson has his fingers in more pies of government behind the scenes that I think most people realise. I always think of Gríma Wormtongue from Lord of the Rings when I see him.

And now, of course, Mandelson is ‘First Secretary of State’, an honorific title all but making him Deputy Prime Minister. Oh, and he’s also Secretary of State for Business, Innovation and Skills as well as President of the Board of Trade. It’s a completecoincidence, of course, that his interest in the Digital Britain agenda (and ‘protecting’ intellectual property rights) was piqued after being wined and dined by David Geffen, co-founder of the Dreamworks studio with Steven Spielberg.

The Digital Economy Act

You would have thought that after all the scandal about MP’s expenses that Parliament would have cleaned itself up. Unfortunately the closest they get to this is a process called ‘wash-up’. Unfortunately, as Martin Bell writes in the Guardian:

This unfortunately has nothing to do with cleansing parliament from its many stains of corruption – more necessary now than ever. It is the term used to describe the negotiations between the parties to decide which bills will survive at the end of the parliamentary session and which will not. It is a secretive process, the modern equivalent of the smoke-filled room. Those taking part are the parties’ whips and business managers, plus officials from various government departments. Those excluded are the rank and file of MPs, together with independents and crossbenchers in the Lords. The wash-up is a stitch-up devised by and for the main political parties.

Government powers to cut off internet connections of those suspected in illegal file-sharing activities.

More government control over who can register .uk domain names and for what purposes.

As many commentators have pointed out, once the heavy hand of the State is upon you, the burden of proof will rest with you to prove that you haven’t been engaging in illegal activities. Proving that you haven’t done something is obviously a lot harder than you have.

iPREDator

Fortunately, there’s others who think like me. Not least the people behind both The Pirate Bay and the Swedish Pirate Party who have come up with iPREDator (named, ironically, after the PRED legislation in Sweden). It gives users a way of staying anonymous online.

How does it work? Via VPN (Virtual Private Network). Basically, they provide a tunnel through the internet and a proxy server through which to access everything online. You route your internet traffic through this and they guarantee not to spill the beans.

Why do I feel the need to cover my tracks? I’m not a massive user of Bittorrent and I’m certainly not engaged in any terrorist activities. But I do object to the State spying on me and potentially accusing me of stuff to shut down my internet connection. So I’m protecting myself.

You may have missed it, but there’s a privacy debate going on as we enter a new decade.* I wanted to share my thoughts, as I think there’s some confused thinking going on.

Usually, when people think of ‘privacy’ they’re actually conflating three notions:

Privacy – not being seen by others

Anonymity – not being identified by others

Ownership – the ability to control things

These are different and should be considered separately.

A lot of digital ink has been spilled recently over changes made by Facebook, the world’s most popular social networking site. Mark Zuckerberg, Facebook’s founder, claimed privacy is ‘no longer a social norm’ which prompted some nods of agreement, but also some vehement criticism. The ever-eloquent danah boyd pretty much sums up the backlash:

There isn’t some radical shift in norms taking place. What’s changing is the opportunity to be public and the potential gain from doing so. Reality TV anyone? People are willing to put themselves out there when they can gain from it. But this doesn’t mean that everyone suddenly wants to be always in public. And it doesn’t mean that folks who live their lives in public don’t value privacy. The best way to maintain privacy as a public figure is to give folks the impression that everything about you is in public.

It’s this control over the public/private debate that is often conflated with anonymity and ownership. And it’s not just media hacks that get this wrong, it’s people with letters after their name. Dr Kieron O’Hara, for example, believes that online life distorts privacy rights for all:

As more private lives are exported online, reasonable expectations are diminishing… When our reasonable expectations diminish, as they have, by necessity our legal protection diminishes.

This effectively takes an argument reserved for celebrities (‘you live by the sword, you die by the sword’) and applies it to everyone else. Not so.

Most of what people object to in the name of ‘privacy’ online is merely technology making something that’s always been done easier or faster.

Object to being ‘tagged’ in a photo on Facebook? Did you likewise object when people passed around printed photos of you at a gathering back-in-the-day?

Don’t like your phone number being posted online? Is it ex-directory?

Not a fan of Google Street View? Do you stop people walking by your house and taking pictures of the local area?

I would argue that no-one has a ‘right’ to anonymity in anything apart from legal proceedings. To attempt to do so – even in an analogue world – is unrealistic.

Recently, I received a suggestion via Skribit that I blog about how I deal with ‘having such a public web presence’ coupled with the tendency of students to ‘google their teachers’. The question seems to be about privacy: do you really want students to know everything about you?

The answer to that can be summed up in one word: control. I am my own media outlet. It doesn’t cost me anything but time to do so. Of course I have secrets, my dark side, things that I don’t want people to find out. But I can control what is said about me. Google Alerts emails me when my name is mentioned somewhere on the internet. If it’s defamatory or negative, I give my side of the story, try and work things out. It’s no different than going to the village gossip to set things straight.

I moderate comments on my YouTube videos, I keep most photos of my family away from public viewing areas on Flickr, and not all of my Delicious links are available for viewing by everyone. That’s why I like Aza Raskin’s idea of a Creative Commons for Privacy. Just as Creative Commons licenses have made it absolutely clear under what conditions you can re-use someone’s artistic work or media (see the top of this post), so a similar system for privacy would give unambiguous recourse for privacy violations. People will tend towards openness, of course they will.

But then I’m not so sure that people being open, controlling their digital identity and learning how to respect the wishes of others is such a bad thing. It’s all about being clear and unamibugous.

Your day begins with a wake-up call from your Google Android phone. As you run to the shower, you hit Google News and check headlines, then Gmail. Your first appointment of the day has been moved to a new location; Google Maps will direct you there. Quickly update your expense report–including the printout of that sales presentation using, say, Google Template–and shoot them to the back office in India (in Hindi, if you prefer, with Google Translate). Your boss wants to discuss your group’s contributions to some marketing documents? Lean on Google Groups. You’re not even out the door yet. You have the rest of the day to search for work-critical information on the Web while you’re at the office–to say nothing of snatching a few moments to download a game, check stock prices, organize your medical records, share photos and pick a restaurant and movie for the evening. How convenient.

I love Apple stuff. I love Google stuff even more because it’s free, is often the best solution, and most of the time promotes collaboration and sharing. However, I’m a bit concerned that they could know a little too much about me. Here’s the Google stuff I use currently:

Google Chrome web browser

Google Apps (personal)

Google Apps Education Edition (at work)

Google Picasa

Google Product Search

Google FastFlip

Google Maps

Google Dictionary

I wasn’t very far away last month from purchasing AlertMe Energy for our house. This uses Google PowerMeter to show how much energy you are using at home. It’s better than the LCD display we’ve got currently, but I was a bit uneasy about it – for the same reasons that I would be about using Google Health.

It’s all very well using the best stuff, but at what cost? All it would take is a government requisition of the data from one company and, if I used Google PowerMeter and Health in addition to the products I already use, they could know:

What I’ve been looking at online.

The names of my family and friends.

Where I’ve been recently.

Who I’ve been communicating with and what about.

What I look like, as well as what my friends and family look like.

My political bias.

How much energy I’ve been using at home.

My health record.

I think that’s too much information to put into the hands of one company, even if there mantra is Don’t be evil.

So I won’t be buying an Android phone. I won’t be buying AlertMe Energy (or any other service that uses Google PowerMeter) or using Google Health either.

I have to say that it’s a potential problem, not an actual one at the moment… I’ll keep you updated.